Posted by: David Harley | May 22, 2015

Apple Store app 2FA

Slash Gear tells us that Apple Store app gets 2-step verification, Touch ID security. J.C. Torres tells us that the updated iOS app:

…will also now require additional authentication when viewing order history or making reservations at retail stores. This time, however, it will be the more convenient Touch ID that will be required instead of a separate passcode.

David Harley
Small Blue-Green World

Posted by: David Harley | May 22, 2015

Selling on your Android?

Then you might want to be aware that you may be selling on some of your data with it, even after a factory reset.

A paper on Security Analysis of Android Factory Resets by Laurent Simon and Ross Anderson is based on a study of ‘the implementation of Factory Reset on 21 Android smartphones from 5 vendors running Android versions v2.3.x to v4.3.’ They believe that:

…up to 500 million devices may not properly sanitise their data partition where credentials and other sensitive data are stored, and up to 630M may not properly sanitise the internal SD card where multimedia files are generally saved. We found we could recover Google credentials on all devices presenting a flawed Factory Reset.

Anderson’s own blog also points out that this calls into question the ability of security software to guarantee the effectiveness of a remote wipe of a stolen phone if the software relies on a faulty factory reset, an issue explored in more detail in the paper Security Analysis of Consumer-Grade Anti-Theft Solutions Provided by Android Mobile Anti-Virus Apps.

Hat tip to Randy Knobloch, who flagged an article by Liam Tung that brought the papers to my attention.

David Harley
Small Blue-Green World

Posted by: David Harley | May 15, 2015

Apple watch – no Activation Lock

I don’t have (and probably never will have) an Apple watch: I’m quite happy to have a watch that just tells the time. Still, I’m surprised to read on the iDownloadBlog that Watch OS 1.0 lacks the necessary security features to dissuade thieves: that is, it doesn’t have Activation Lock, so it’s ‘ …extremely easy to reset an Apple Watch to default settings, bypassing the passcode, and pairing it with a different iPhone.’

I’d be sorry if I lost my current watch, but it’s just a watch: an iGadget is a different kettle of data. To be fair, ‘…the Apple Watch does protect your data. If you have a passcode lock on the device, which we wholeheartedly recommend, at least it will prevent the thief from accessing your personal data on the device.’ What it doesn’t do is  dissuade a thief from stealing it in the way that is many people have got used to on iPhones and other iGadgets. If you do lose it, there’s nothing to stop the next ‘owner’ from resetting it and using it as if they’d just bought it.

David Harley
Small Blue-Green World

 

Posted by: David Harley | May 15, 2015

Macs in the Enterprise

It’s a long time since I was directly involved with systems administration and support (back when OS X was still very new), and my recollection is that Macs were relatively easy to administer unless you had to integrate them into Windows environments (or possibly vice versa).

The little network I run now is really not the place to try his suggestions out, but if you are running that sort of environment, Trevor Pott‘s article for The Register on Adjustments will be needed to manage the Macs piling up in your business – choose the necessary tools looks as if it could be seriously useful.

David Harley
Small Blue-Green World

 

Posted by: David Harley | May 12, 2015

MacKeeper vulnerability: maybe not that funny

For The Register, Richard Chirgwin reports on a remote code execution vulnerability in MacKeeperPop-up pest MacKeeper patches 0-day remote code execution vuln. The vulnerability is discussed at more length in a SecureMac advisory.

The MacKeeper article advises that users run MacKeeper Update Tracker so as to get a patched version.

Chirgwin suggests that Mac users annoyed by MacKeeper’s reputation for persistent and aggressive pop-up marketing will take some pleasure in the company’s embarrassment. However I wonder how many of the product’s many users will get to hear about the Proof of Concept attack (which MacKeeper’s article doesn’t actually mention) and take appropriate measures.

David Harley
Small Blue-Green World

Posted by: David Harley | May 4, 2015

VT, KnockKnock and OS X security

Here’s a quick follow-up to my earlier post for ITSecurity on OS X malware: I hear you KnockKnocking but you can’t come in (also mentioned on this site here).

VirusTotal reports that Patrick Wardle has incorporated data from the site into KnockKnock, a program intended to flag possible malware generically (by checking for unexpectedly persistent apps). The exact nature of the data isn’t described. VT also mentions tools it has made available to help with OS X security: tools to further characterize Mac OS X executables, and VirusTotal Uploader for OS X.

I haven’t checked these tools out, and can’t comment at present on their efficacy.

David Harley

Posted by: David Harley | April 23, 2015

Android: Google’s new look at malware

Every so often, Google comes up with a presentation that plays down the risk to Android users from malware. An article of mine that Infosecurity Magazine has just published – #RSAC: Android: malware? What malware? – looks at the implications of an RSA 2015 presentation by Lead Android Engineer Adrian Ludwig, deprecating the use of the word malware to describe ransomware, Trojans etc. because it’s ‘confusing’. The presentation is interesting for its insight into current Google security strategies, but in my book, unilaterally changing the terminology used to describe malicious software so that it sounds less frightening is too close to whitewashing to be useful.

David Harley
Small Blue-Green World

Posted by: David Harley | April 21, 2015

Yosemite and Rootpipe

Further to my recent blog on That OS X Backdoor… I mentioned that the vulnerability flagged by Emil  Kvarnhammar – Hidden backdoor API to root privileges in Apple OS X – had been fixed in an update to Yosemite, but that earlier versions of OS X would not be patched.

Today, The Register followed up on its report on the issue with an article that tells us that OS X Yosemite still open to Rootpipe backdoor, warns ex-NSA bod. Synack’s Patrick Wardle – who presented an interesting paper at Virus Bulletin 2014 on Methods of malware persistence on Mac OS X – has announced that:

I found a novel, yet trivial way for any local user to re-abuse rootpipe – even on a fully patched OS X 10.10.3 system. I the spirit of responsible disclosure, (at this time), I won’t be providing the technical details of the attack (besides of course to Apple). However, I felt that in the meantime, OS X users should be aware of the risk.

 According to Shaun Nichols’ article for The Register, Apple has not so far been available for comment.

David Harley
Small Blue-Green World

Posted by: David Harley | April 10, 2015

That OS X Backdoor…

According to Emil Kvarnhammar, a hidden backdoor API in the OS X Admin Framework has been present since 2011 if not earlier, and ‘can be exploited to escalate privileges to root from any user account in the system.’ ArsTechnica says that ‘To fully exploit the bug, attackers would need physical access to the targeted Mac’, but cites an example of how, as Kvarnhammar says, it could be ‘combined with remote code execution exploits.’

According to The Register ‘The flaw (CVE-2015-1130) is fixed in Apple’s patch run this week‘ but Apple apparently told Kvarnhammar that because of the volume of changes required, it would not be back-porting the fix to versions 10.9.x and earlier, leaving users of versions older than (patched) Yosemite 10.10 vulnerable to potential exploits.

David Harley
Small Blue-Green World

Posted by: David Harley | April 9, 2015

Apple Fixes and Updates

Also worth reading: Paul Ducklin of Sophos talks on ‘Naked Security’ about how Apple fixes loads of security holes in OS X, iOS, Apple TV, Safari.

  • Yosemite update
  • Mavericks security update
  • Mountain Lion security update
  • iOS 8.3 (fixes two Lock Screen bugs)
  • Apple TV 7.2
  • Safari updates

And a terse summary of the new Photos app.

David Harley
Small Blue-Green World

Older Posts »

Categories

Follow

Get every new post delivered to your Inbox.

Join 48 other followers